WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

my only gripes about webgoat is that 1) all the levels are not complete and 2) there is no answer key especially for the new levels and labs implemented in webgoat v4 and 3)there are no links to materials relevant to the lesson level. that would be really handy because sometimes the hints are way to easy or just plain crap, saying go read these documents before you attempt the level would be much more condusive to an self-learn learning process.